Moodle Compliance with GDPR

On 21 December, Moodle published its approach and plan in terms of supporting organisations with becoming General Data Protection and Regulation (GDPR) compliant under new EU legislation coming into force on 25 May 2018.

Moodle took the time in mid-2017 to collate feedback from the Moodle community about organisations’ needs around GDPR compliance. In addition to this, it consulted a lawyer familiar with EU data protection legislation to formulate a plan.

Moodle set out a number of features in the form of plugins to go into development, covering:

On-boarding of new users

Privacy Statements

Tracking of consent

Handling of subject access requests

They have split the functionality into two parts, the first being how data is consented for upon acquisition (essentially the top 3 points above) and the second part being compliance with subject access requests (SARs). The latter follows a trend in recent years to be able to request any and all data held about you as well as having the right to be forgotten as is frequently seen in requests to sites like Google and social media applications.

Timeline for plugin release

The plugins will become core code in Moodle version 3.5 due in late 2018 but are scheduled for release in March 2018 to be utilised with versions 3.3 and 3.4. Users on versions below 3.3 will not be able to utilise these particular plugins however Moodle is reviewing other solutions for users of 3.2 and below.

Will these plugins make me GDPR compliant?

The answer is absolutely a big ‘No!’ Moodle is also very clear about this, saying:

“Installing the plugins alone is not going to be enough to meet the GDPR requirements. Correct configuration and implementation of the required processes and procedures is also required and you should engage with your IT and legal department on what is required” – Moodle Blog

So no, the plugins are not a magic bullet to help meet all of GDPR and in-fact if you are not on a version of Moodle that will support the plugins, there is no need to panic. You can perfectly comply with GDPR by ensuring your business processes and interactions with users are up to scratch. We can then support you with compliance in Moodle with or without the plugins.

The Moodle plugin tools will be helpful in making the process easier and automated but they are not a pre-requisite for compliance.

How serious is GDPR in terms of Moodle Data?

For most of our customers, data that is hosted by us does not fall into the high value/risk categories which are mainly considered to be medical and financial records of individuals. We do not process any data of that sort for customers.

The GDPR applies to ‘personal data’ meaning any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier such as name, identification number, location data or online identifier.

Personal data that has been pseudonymised, e.g. key-coded, can fall within the scope of the GDPR depending on how difficult it is to attribute the pseudonym to a particular individual.

The more serious application of GDPR is towards ‘Sensitive Personal Data’ including racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation.

As a provider of Moodle services, we do not hold any of that data on users. However, one caveat to that might be when considering forum posts or chats within the Moodle system that might reveal this information to others publically as well as records of any proclamations made using such tools. Users of such tools will need to sign up to terms of use policies. Privacy policies will have to cover these scenarios in much the same way as we now allow or deny the use of cookies in web browsers.

In short, Moodle as a platform compared to other organisational databases is not where GDPR is strongly aimed. GDPR compliance around VLE’s in general should not be seen as an excessive task or something that is ever likely to pose a threat of millions of pounds in fines should there be a breach.

Where to start?

Data that ends up in Moodle usually originates from another source such as the student records system (SRS) of an academic institution or some other form of CRM from a Moodle operating organisation.

CoSector, University of London is a data processor, not a data controller and the processing of customer data is undertaken under customer instruction. We still have obligations in how we process that data but at the point of processing by us the data should already be compliant with GDPR.

This means that your organisational processes when adding user data to a CRM or SRS, needs to include all the safeguards as set out in the GDPR legislation.

Ultimately it’s our recommendation that you have a suitable member of staff or a team that can ensure you are GDPR compliant or have a consultancy review your business processes to give you actions to implement in your organisation.

Our provision to customers (and authorities) as a data processor

To support our customers and meet our GDPR obligations, we will:

Keep a register of our data processing activities, which will be made available to supervisory authorities on request;

Ensure we can respond to a Request for data on a specific individual or individuals within 30 days (reduced down from the data protection Act’s current time of 40 days);

Provide the Name and contact details of the processor, the controller(s) we work for and their data protection officer;

Keep records that can specify the categories of processing carried out;

Report on transfers of personal data to a third country document the suitable safeguards. Any third party we use for data processing will have the same if not better standards than our own. For example, data stored in cloud services such as AWS or MS Azure;

Maintain a general description of our technical and organisational security measures;

As a service provider, if we suspect that you as a customer and data controller are instructing us to do something that we believe infringes on GDPR, we will notify you.